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Abstract 

Information  security  and  assurance  are  new  frontiers  for  collaborative  design.  In  this  context,  in¬ 
formation  assurance  (lA)  refers  to  methodologies  to  protect  engineering  information  by  ensuring  its 
availability,  confidentiality,  integrity,  non-repudiation,  authentication,  access  control,  etc.  In  collabora¬ 
tive  design,  lA  techniques  are  needed  to  protect  intellectual  property,  establish  security  privileges  and 
create  “need  to  know”  protections  on  critical  features. 

This  paper  provides  a  framework  for  information  assurance  within  collaborative  design  based  on  a 
technique  we  call  Role-based  Viewing.  We  extend  upon  prior  work  to  present  Hierarchical  Role-based 
Viewing  as  a  more  flexible  and  practical  approach  since  role  hierarchies  naturally  reflect  an  organization’s 
line  of  authority  and  responsibility.  We  establish  a  direct  correspondence  between  multi-level  security 
and  multiresolution  surfaces  where  a  hierarchy  is  represented  as  a  weighted  directed  acyclic  graph.  The 
permission  discovery  process  is  formalized  as  a  graph  reachability  problem  and  the  path  cost  is  used 
as  input  to  a  multiresolution  function.  By  incorporating  security  with  collaborative  design,  the  costs 
and  risks  incurred  by  multi-organizational  collaboration  can  be  reduced.  The  authors  believes  that  this 
work  is  the  first  of  its  kind  to  unite  multi-level  security  and  information  clouding  with  geometric  data, 
including  multiresolution  surfaces,  in  the  fields  of  computer-aided  design  and  collaborative  engineering. 

1  Introduction 

Information  assurance  (lA)  refers  to  methodologies  to  protect  and  defend  information  and  information 
systems  by  ensuring  their  availability,  integrity,  authentication,  confidentiality,  and  non-repudiation.  In 
collaborative  design,  lA  is  mission-critical.  Suppose  a  team  of  designers  is  working  collaboratively  on  a 
3D  assembly  model.  Each  designer  has  a  different  set  of  security  privileges  and  no  one  on  the  team  has 
the  “need  to  know”  the  details  of  the  entire  design.  In  collaboration,  designers  must  interface  with  others’ 
components/assemblies,  but  do  so  in  a  way  that  provides  each  designer  with  only  the  level  of  information 
he  or  she  is  permitted  to  have  about  each  of  the  components.  Eor  example,  one  may  need  to  know  the 
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exact  shape  of  some  portion  of  the  part  (including  mating  features)  being  created  by  another  designer, 
but  not  the  specifics  of  any  other  aspects  of  the  part.  Such  a  need  can  also  be  found  when  manufacturers 
outsource  designing  a  sub-system:  manufacturers  may  want  to  hide  some  critical  information  of  the 
entire  system  from  suppliers. 

The  authors  believe  that  a  geometric  approach  to  lA  represents  a  new  problem  that  needs  to  be 
addressed  in  the  development  of  collaborative  CAD  systems.  The  approach  we  develop  has  many  uses 
visible  across  several  significant  scenarios  we  envision  for  applying  this  work: 

Protection  of  sensitive  design  information:  As  noted  above,  designers  may  have  “need  to  know”  rights 
based  on  legal,  intellectual  property,  or  national  security  requirements. 

Collaborative  supply  chains:  Engineering  enterprises  outsource  a  considerable  amount  of  design  and 
manufacturing  activity.  In  many  situations,  the  organization  needs  to  provide  vital  design  data  to 
one  partner  while  protecting  the  intellectual  property  of  another  partner. 

Multi-disciplinary  design:  For  designers  of  different  disciplines  working  on  common  design  mod¬ 
els,  designers  suffer  from  cognitive  distraction  when  they  must  interact  with  unnecessary  de¬ 
sign  details  that  they  do  not  understand  and  cannot  change.  For  example,  an  aircraft  wheel 
well  [Callahan  and  Heisserman,  1996]  is  a  complex  and  confusing  place  in  which  electronics,  me¬ 
chanical,  and  hydraulics  engineers  all  must  interact  in  close  quarters  with  vast  amounts  of  detailed 
design  data.  These  interactions  could  be  made  more  efficient  if  the  design  space  could  be  simplified 
to  show  each  engineer  only  the  details  they  need  to  see. 

This  paper  develops  a  new  technique  for  Role-based  Viewing  [Cera  et  ak,  2004]  in  a  collaborative 
3D  assembly  design  environment,  where  multiple  users  work  simultaneously  over  the  network,  and 
presents  a  combination  of  multiresolution  geometry  and  multi-level  information  security  models.  Among 
various  issues  in  lA,  access-control  is  critical  for  the  purpose.  We  demonstrate  the  specification  of  access 
privileges  to  geometric  partitions  in  3D  assembly  models  defined  based  on  the  Bell-Fa  Padula  model. 

In  our  method,  the  partitioning  is  used  to  create  variable  level-of-detail  (FOD)  meshes,  across  both 
individual  parts  and  assemblies,  to  provide  a  Role-based  View  suitable  for  a  user  with  a  given  level  of 
security  clearance.  We  achieve  these  functional  capabilities  within  a  system  designed  for  secure,  real¬ 
time  collaborative  viewing  of  3D  models  by  multiple  users  working  synchronously  over  the  internet  on 
standard  graphics  workstations. 

Aside  from  digital  3D  watermarking,  research  on  how  to  provide  lA  to  distributed  engineering  teams, 
working  in  collaborative  graphical  environments,  remains  a  novel  and  relatively  unexplored  area.  The 
authors  believe  that  this  work  represents  a  unique  application  of  multiresolution  surfaces  to  multi-level 
information  security  in  computer-aided  design  and  collaborative  engineering.  The  specific  contributions 
of  this  work  include: 

Provide  a  geometric  approach  to  Information  Assurance:  Our  work  augments  currently  practiced  access- 
control  techniques  in  collaborative  CAD  and  PDM  systems.  Although  most  of  these  systems  offer 
access-control  facilities,  they  are  often  limited  to  prohibiting  access  to  models  and  documents  and 
not  partitions  of  geometry. 

Develop  alternatives  to  the  problem  of  “all-or-nothing”  permissions:  The  standard  method  for  han¬ 
dling  a  lack  of  appropriate  permissions  is  suppression  of  the  sensitive  features.  This  work  attempts 
to  highlight  some  alternatives  other  than  the  traditional  solution. 

Outline  the  relation  between  Multi-level  Security  Hierarchies  and  Multiresolution  Surfaces:  We  re¬ 
visit  the  problem  of  Role-based  Viewing  in  an  updated  context  using  role  hierarchies.  A  hierarchy 
is  represented  as  a  weighted  directed  acyclic  graph  (DAG),  where  the  permission  discovery  process 
is  formalized  as  a  graph  reachability  problem  and  the  path  cost  is  used  as  input  to  a  multiresolution 
function. 
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This  paper  is  organized  as  follows:  Section  2  describes  related  work  from  information  assurance,  col¬ 
laborative  design,  and  computer  graphics  communities.  Section  3  reviews  the  specification  of  security 
features  in  the  fields  of  solid  modeling  and  engineering  as  outlined  in  Reference  and  presents  Hierarchi¬ 
cal  Role-based  Viewing.  Section  4  explains  the  details  of  our  multiresolution  security  model  and  outlines 
its  relation  to  the  Role  Hierarchy.  Section  5  describes  the  implementation  of  our  prototype  system,  and 
demonstrates  a  sample  scenario  using  our  approach.  Lastly,  Section  7  summarizes  our  results,  presents 
our  conclusions,  and  outlines  goals  for  future  research. 

2  Related  Work 

The  contributions  presented  in  this  paper  are  related  to  information  assurance,  collaborative  design,  and 
multiresolution  surface  generation. 

2.1  Information  Assurance  and  Security 

Current  research  on  information  assurance  incorporates  a  broad  range  of  areas  focused  on  protect¬ 
ing  information  and  information  systems  by  ensuring  their  availability,  integrity,  confidentiality,  non¬ 
repudiation,  authentication,  and  controlling  modes  of  access.  Information  assurance  research,  in  the 
context  of  the  CAD  domain,  has  been  partially  addressed  by  the  computer  graphics  community  through 
the  development  of  3D  digital  watermarking  [Praun  et  al.,  1999].  Digital  Watermarking  is  used  to  ensure 
that  the  integrity  of  a  model  has  been  maintained,  as  well  as  provide  a  foundation  for  proof  of  copyright 
infringement.  Other  areas  of  research  have  been  in  authentication  and  access-control.  We  will  intro¬ 
duce  past  and  present  research  on  access  control  methodologies  and  outline  the  differences  between  the 
varying  policies. 

There  is  a  clear  distinction  between  authentication  and  access  control  services.  Authentication  ser¬ 
vices  are  used  to  correctly  determine  the  identity  of  a  user.  Access  control  is  the  process  of  limiting 
access  to  resources  of  a  system  only  to  authorized  users,  programs,  processes,  or  other  systems.  Authen¬ 
tication  is  closely  coupled  with  access  control,  where  access  control  assumes  that  users  of  an  information 
system  have  properly  been  identified  by  the  system.  If  the  authentication  mechanism  of  a  system  has 
been  compromised,  then  the  access  control  mechanism  that  follows  will  certainly  be  compromised.  The 
primary  focus  of  our  work  is  to  articulate  an  access  control  policy,  specifically  for  the  geometry  of  a 
solid  model,  assuming  a  robust  authentication  mechanism  has  already  been  established.  Access-control 
literature  describes  high-level  policies  on  how  accesses  are  controlled,  as  well  as  low-level  mechanisms 
that  implement  those  policies. 

The  common  access  control  policies  found  in  literature  are  Discretionary,  Lattice-Based,  and  Manda¬ 
tory  Access  Control  (DAC,  LBAC,  and  MAC  respectively).  DAC  was  formally  introduced  by  Lamp- 
son  [Lampson,  1971]  ,  where  essentially  the  owner  of  an  object  has  discretion  over  what  users  were 
authorized  to  access  that  object.  Access  broadly  refers  to  a  particular  mode  of  operation  such  as  read 
or  write.  The  owner  is  typically  designated  as  the  creator  of  an  object,  hence  it  is  an  actual  user  of  the  sys¬ 
tem.  This  is  different  from  LBAC  and  MAC,  which  we  will  refer  to  collectively  as  MAC  [Lampson,  1971], 
where  individual  users  have  no  discretion  over  object  access.  MAC  [Bell  and  La-Padula,  1973]  is  pri¬ 
marily  concerned  with  the  flow  of  information,  thereby  enforcing  restrictions  on  the  direction  of  com¬ 
munication  channels.  For  further  discussion  on  access  control  policies,  we  refer  interested  readers  to  a 
survey  by  Sandhu  [Sandhu  and  Samarati,  1994]. 

Role-Based  Access  Control  (RBAC)  is  an  emerging  area  of  study,  and  is  actively  pursued  as  an 
augmentation  of  traditional  DAC  and  MAC.  RBAC  is  an  instance  of  a  Multi-Level  Security  (MLS) 
framework,  which  is  still  an  actively  pursued  area  in  the  database  community  [Jajodia  and  Sandhu,  1991, 
Sandhu  and  Chen,  1998].  In  RBAC,  individual  users  are  assigned  roles,  and  the  access  permissions  of 
an  object  are  also  assigned  to  roles.  Therefore  the  permissions  assigned  to  a  role  are  acquired  by  the 
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members  associated  with  it.  This  additional  layer  reduces  the  management  of  permissions  and  supports 
the  concepts  of  least  privilege,  separation  of  duties,  and  data  abstraction.  RBAC,  and  its  associated 
components,  are  an  instrument  for  expressing  a  policy,  and  not  a  policy  by  itself.  For  role-based  viewing, 
we  use  a  MAC  policy  embodied  within  an  RBAC  framework. 

2.2  Collaborative  Design 

There  is  a  vast  body  of  past  work  on  concurrent  engineering  and  collaborative  design.  In  our  view,  this 
research  can  be  [loosely]  grouped  into  two  categories  which  we  will  call  “data  centric”  and  “interaction 
centric.” 

Data  centric  research  focuses  on  collaborative  data  sharing  or  knowledge  sharing.  Historically,  re¬ 
search  of  this  kind  emerged  simultaneously  from  the  engineering,  the  artificial  intelligence,  and  database 
communities.  Interaction  centric  approaches  deal  with  the  real-time  or  asynchronous  collaboration 
among  people  in  the  design  process.  This  most  frequently  means  real-time,  collaborative,  multi-user 
environments.  Often  these  environments  would  be  graphical,  or  3D;  in  other  cases,  the  environment 
consist  of  computer-supported  cooperative  work  (CSCW)  tools  coupled  with  design  systems.  Much  of 
the  recent  work  in  Collaborative  Graphics  falls  into  the  latter  category. 

The  subset  of  existing  work  most  relevant  to  our  efforts  is  interaction  centric,  dealing  with  real-time 
3D  collaboration  and  communication.  Distributed  Virtual  Environments  (DVEs)  [Jayaram  et  ak,  1999, 
Eriksson,  1994,  Macedonia  et  ak,  1994]  have  been  developed  for  real-time  interactions  between  dis¬ 
tributed  collaborators  in  a  number  of  different  domains.  Immersive  environments  such  as 
CAVEs  [Cruz-Neira  et  ak,  1993]  have  been  developed  which  also  support  real-time  interaction,  but  they 
do  not  necessarily  support  collaborative  CAD.  [Conner  et  ak,  1997]  directly  addressed  the  use  of  dis¬ 
tributed  VR  for  collaborative  design,  but  in  this  work  the  design  data  was  largely  static  and  not  worked 
on  synchronously  by  multiple  users.  In  each  of  these  cases,  the  work  employed  large-scale  virtual  reality 
systems. 

On  the  scale  team  design,  where  individual  users  collaborate  using  more  typical  computing  hard¬ 
ware,  empirical  study  is  recently  beginning  to  emerge.  SHASTRA  is  an  environment  for  collabo¬ 
rative  visualization  and  shared  multimedia,  demonstrated  mostly  for  scientific  and  medical  applica¬ 
tions  [Anupam  and  Bajaj,  1993].  The  DOME  [Pahng  et  ak,  1998,  Abrahamson  et  ak,  2000]  and 
EIPER  [Rohl  et  ak,  2000,  Kao  et  ak,  2003]  systems  target  the  integration  of  software  products,  and  co¬ 
ordination  between  them  over  the  network,  for  collaboration  among  individuals  assigned  disjoint  duties 
in  the  product  development  cycle  or  across  institutional  boundaries.  These  systems  support  an  access- 
control  framework,  but  do  not  offer  alternatives  to  the  problem  of  “all-or-nothing”  feature  suppression 
when  a  lack  of  full  permissions  exists. 

Research  efforts  on  level  of  detail  (LOD)  rendering  [Hoppe,  1998],  view-dependent 
rendering  [De  Eloriani  et  ak,  2000]  and  3D  compression  [Deering,  1995,  Taubin  and  Rossignac,  1998, 
Gueziec  et  ak,  1999]  often  mention  the  applicability  of  these  techniques  to  collaborative  design.  To 
date,  however,  the  main  use  of  these  efforts  has  been  limited  to  areas  such  as  streaming  or  transmitting 
3D  data  over  the  Internet. 


2.3  Multiresolution  Techniques 

Polygon  meshes  lend  themselves  to  fast  rendering  algorithms,  which  are  hardware-accelerated  in  most 
platforms.  Many  applications,  including  CAD,  require  highly  detailed  models  to  maintain  a  convincing 
level  of  realism.  It  is  often  necessary  to  provide  LOD  techniques  in  order  to  deliver  real-time  computer 
graphics  and  animations.  Therefore,  mesh  simplification  is  adopted  for  efficient  rendering,  transmission, 
and  various  computations.  The  most  common  use  of  mesh  simplification  is  to  generate  multiresolution 
models  or  various  levels  of  detail  (LOD).  Eor  example,  closer  objects  are  rendered  with  a  higher  LOD, 
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and  distant  objects  with  a  lower  LOD.  Thanks  to  LOD  management,  many  applications  such  as  CAD 
visualization  can  accelerate  rendering  and  increase  interactivity.  A  recent  survey  on  mesh  simplification 
can  be  found  in  Reference  [Luebke,  2001]. 

The  most  popular  polygon-reduction  technique  is  an  edge  collapse  or  simply  ecol  (more  generally, 
vertex  merging  or  vertex  pair  contraction)  where  two  vertices  are  collapsed  into  a  single  one.  The  issues 
in  ecol  include  which  vertices  to  merge  in  what  order,  where  to  place  the  resulting  vertex,  etc.  Vertex 
split  or  simply  vsplit  is  the  inverse  operation  of  ecol.  These  operations  are  illustrated  in  Figure  1(a)  and 
a  sequence  of  operations  is  illustrated  on  a  sample  model  given  in  Figure  1(b). 


(a)  Edge  collapse  (ecol)  and  vertex  split  {vsplit)  oper-  (b)  Sequence  of  operations  on  the  “socket” 

ations.  v,  (top)  and  (bottom)  collapse  into  Vm  (mid-  model  [National  Design  Repository,  2003]. 

die).  The  inverse  operation  involves  splitting  Vm  back 
into  V,  and  v^. 


Figure  1:  Illustration  of  Multiresolution  teehniques. 

Hoppe  proposed  progressive  mesh  (PM)  [Hoppe,  1996],  which  consists  of  a  coarse  base  mesh  (cre¬ 
ated  by  a  sequence  of  ecol  operations)  and  a  sequence  of  vsplit  operations.  Applying  a  subset  of  vsplit 
operations  to  the  base  mesh  creates  an  intermediate  simplification.  The  vsplit  and  ecol  operations  are 
known  to  be  fast  enough  to  apply  at  runtime,  therefore  supporting  dynamic  simplification. 

3  Role-based  Viewing 

In  the  context  of  3D  design,  a  model  M  is  a  description  of  an  artifact,  usually  an  individual  part  or 
assembly,  in  the  form  of  a  solid  model.  A  true  collaborative  engineering  environment  enables  multiple 
engineers  to  simultaneously  work  with  M.  The  engineers  (designers,  process  engineers,  etc)  correspond 
to  a  set  of  actors  A  =  . . .,««},  each  of  which  has  associated  with  it  a  set  of  roles.  Roles,  R  = 

{rQ,rj,. . .  ,rm},  define  access  and  interaction  rights  for  the  actors.  For  example,  actor  a^  might  have 
associated  with  it  roles  r2Q,r23,  and  r-j^ — this  entitles  them  to  view  (and  perhaps  change)  portions  of  M 
associated  with  these  roles.  Portions  of  M  not  associated  with  these  roles,  however,  might  be  “off  limits” 
to  actor  flj.  This  section  will  build  on  the  results  of  Reference  [Ceraet  al.,  2004],  where  Role-based 
Viewing  was  developed  in  the  context  of  distributed  collaborative  CAD,  by  introducing  role  hierarchies 
and  their  relation  to  multiresolution  surfaces. 

We  formulate  the  problem  of  role-based  viewing  in  the  following  subsections  by  developing: 

•  Actor-Role  Framework:  a  general  RBAC  framework  for  describing  actors  and  roles  within  a 
collaborative-distributed  design  environment.  This  framework  uses  a  hierarchical  graph  to  capture 
role-role  relationships  and  create  a  relation  between  actors  and  roles. 
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•  Model-Role  Framework:  an  associative  mapping  from  roles  to  topological  regions  on  models. 
These  regions  capture  the  security  features,  F,  of  a  3D  model — ^relating  how  a  point,  patch,  part, 
or  assembly  can  be  viewed  by  actors  with  given  roles. 

•  Hierarchical  Role-Based  Viewing:  an  algorithm  to  generate  a  role-based  view  given  an  actor  a, 
his/her  set  of  roles,  the  role  hierarchy  {RH),  a  model  M,  and  its  set  of  security  features.  A  role- 
based  view  is  a  tailored  3D  model  which  is  customized  for  actor  a  based  on  the  roles  defining  a’s 
access  permissions  on  the  model.  In  this  way,  the  role-based  view  model  does  not  compromise 
sensitive  model  information  which  a  is  not  allowed  to  see  (or  see  in  detail).  This  is  accomplished 
using  a  mesh  simplification  technique  to  generate  the  role-based  view. 

3.1  Actor-Role  Security  Framework 

Our  security  framework  is  based  on  an  adaptation  of  role-based  access  control,  as  developed  in  the  in¬ 
formation  assurance  and  security  literature  [Sandhu  et  al.,  1996],  to  the  collaborative  design  problem. 
We  focus  on  the  relation  between  actors,  their  roles  and  the  solid  model  geometry.  This  is  in  contrast  to 
other  work  on  access  control  in  collaborative  CAD  which  has  focused  mainly  on  database  synchroniza¬ 
tion/transaction  issues  [Bancilhon  et  al.,  1985]. 

Representing  Actors  and  Roles  We  define  a  hierarchical  RBAC  framework  where: 

1.  Entities  include  a  set  of  actors,  A  =  .  ..,a„}  and  a  set  of  roles  R  =  {rQ,r^  ,...,r„}-, 

2.  Actor-Role  Assignment,  AR,  is  a  relation  (possibly  many-to-many)  of  actors  to  roles:  AR  CAxR-, 

3.  Role  Hierarchy,  RH,  captures  the  relationships  among  the  roles.  For  example,  the  permissions 

entailed  by  role  r^^  might  be  a  superset  of  those  entailed  by  r2^.  Hence,  the  role  hierarchy  is  a 
weighted,  directed  acyclic  graph  (DAG),  RH  =  {R,H),  where  H  C  Rx  Ris  the  hierarchical  set  of 
relationships  (edges)  among  the  roles  in  R.  This  creates  a  partial  order  on  R,  hence  (in  the  example 
above)  if  <  ^23,  >G  H  then  r23  ^  The  weight  of  each  edge  in  H  is  given  by  the  real-valued 
function  w  :  [0, 1]. 

An  example  of  this  RBAC  framework  is  given  in  Figure  2.  For  the  remainder  of  this  paper,  we  focus 
on  read  permission  granted  by  a  given  set  of  roles.  Rather  than  “all  or  nothing”  read  permissions,  our 
objective  is  to  assign  a  “degree  of  visibility”  to  features  of  a  model  based  on  an  actor’s  roles.  Using 
this  formulation,  we  show  how  one  can  implement  a  Bell-La  Padula-based  [Bell  and  La-Padula,  1973] 
security  model  for  collaborative  viewing  of  CAD  data. 


Visibility 

% 

a2 

fo 
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G 

• 

G 

• 

G 

• 

(b)  An  example  weighted  Role  Hierarchy. 


(a)  An  example  Actor-Role  assign¬ 
ment  matrix. 


Figure  2:  Example  Aetor-Role  (AR)  and  Role  Hierarehy  (RH)  assignments. 
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Example.  Using  the  simple  actor-role  assignment  matrix  and  role  hierarchy  from  Figure  2,  we  can 
compute  the  degree  of  visibility  to  each  actor  for  a  model  assigned  to  a  specific  role.  To  implement 
the  Bell-La  Padula  [Bell  and  La-Padula,  1973]  model,  we  need  to  compute  visibility  in  such  a  way  as 
to  guarantee  that  the  role  (e.g.,  security  clearance)  of  someone  receiving  a  piece  of  information  must  be 
at  least  as  high  as  the  role  assigned  to  the  information  itself.  In  this  way,  a  CAD  model  classified  as 
“Secret”  can  only  be  viewed  by  those  with  a  “Top-Secret”  or  “Secret”  classification,  but  not  viewed  by 
someone  with  only  a  “Confidential”  level  of  access.  Figure  3  illustrates  this  example. 


^  ^  Secret  Confidential  Unclassified 

Secret 


Figure  3:  An  example  weighted  Role  Hierarchy  with  associated  labels. 


3.2  Model-Role  Security  Framework 

Let  M  be  a  solid  model  of  an  artifact  (part,  assembly,  etc.)  and  let  b{M)  represent  the  boundary  of  M.  In 
this  context,  the  Model-Role  Assignment,  MR,  is  a  relation  (possibly  many-to-many)  assigning  roles  to 
points  on  the  surface  of  the  model;  MR  C  b{M)  x  R,  where  each  point  on  b{M)  has  at  least  one  role  (i.e., 
Vp  G  b{M)  ,3r  GR  such  that  <  p,r>G  MR).  In  this  way,  each  point  on  the  surface  of  the  solid  model  M 
has  associated  with  it  some  set  of  access  rights  dependent  on  the  roles  associated  with  it. 

In  practice,  it  is  impractical  to  assign  roles  point-by-point  to  the  b{M).  Hence,  we  define  a  set  of 
security  features,  F  =  {/o,/i,  •  •  ■  ,/j.},  where  each  is  a  topologically  connected  patch  on  b{M)  and 
IJF  =  b{M)-,  and  each  has  a  common  set  of  role  assignments.  Therefore,  the  Model-Role  assignment 
can  be  simplified  to  be  the  relation  associating  security  features  with  access  roles;  MR  C  F  x  R. 

Example.  Let  M  he  a  solid  model;  let  F  =  {f^},  where  /j  =  b{M)  (i.e.,  the  entire  boundary  is  one 
security  feature).  If  MR  =  {<  /^rg  >}  (where  r^  is  from  the  previous  example  in  Figure  3),  then  we 
can  see  the  resultant  model  for  r^  depicted  in  Figure  4. 


Figure  4;  An  example  part  with  one  security  feature  where  b(M)  is  assigned  to  r^. 


3.3  Hierarchical  Role-Based  Viewing 

The  issue  now  is  that,  for  a  given  actor  a,  what  portions  of  the  model  M  that  he/she  can  see  will  depend 
on  their  associated  roles  and  the  security  features  of  the  model.  Depending  on  their  permissions,  a  new 
model,  M',  must  be  generated  from  M  such  that  the  security  features  are  not  shown  or  obfuscated  based 
on  the  actor’s  roles.  If  their  roles  give  them  permission  to  see  certain  features  (i.e.,  mating  features). 
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then  the  resulting  model  includes  the  features  with  the  same  fidelity  as  in  M;  if  not,  the  features  must  be 
obfuscated  in  such  a  way  as  to  hide  from  a  what  a  does  not  have  the  right  to  see.  Hence,  the  role-based 
view  generation  problem  can  be  stated  as  follows: 

Problem  Given  a  set  of  roles  and  their  relationships  {R  and  RH)-,  a  solid  model  and  its  security  features 
(M,  F,  and  MR)-,  and  an  actor  (a  and  AR),  determine  the  appropriate  view  M'  of  model  M  for  actor  a. 

We  propose  a  solution  based  on  the  use  of  multiresolution  meshes,  as  follows: 

1 .  Convert  solid  model  M  to  a  high-fidelity  mesh  representation; 

2.  Based  on  F,  determine  which  facets  belong  to  each  security  feature,  /; 

3.  For  each  security  feature /,  do: 

(a)  If  the  intersection  of  actor  a’s  roles  and  /’s  roles  is  non-empty,  then  add  the  facets  associated 
with  /  to  M'; 

(b)  If  actor  a’s  roles  do  not  intersect  the  roles  of  /,  determine  (using  RH)  how  much  of  /  they 
are  allowed  to  see  and  create  a  set  of  modified  facets  to  represent  /  for  inclusion  in  M' . 

4.  Clean  up  the  resulting  M'  so  that  boundaries  of  the  f^’s  are  topologically  valid. 

5.  Return  M'. 

There  are  three  research  problems  we  address: 

1 .  How  does  the  role-hierarchy  RH  relate  to  the  degree  of  visibility? 

We  show  how  the  weighted  DAG  that  comprises  RH  can  be  used  to  implement  a  number  of  useful 
security  policies  by  making  the  model  quality  a  function  of  the  “path  cost”  among  roles  in  RH. 

2.  How  to  modify  the  facets  for  each  based  on  RH? 

Our  approach  is  to  use  a  security  policy  (based  on  Bell-La  Padula)  associated  with  the  role  hierar¬ 
chy  RH  to  determine  how  to  modify  the  model.  In  some  cases,  policy  will  dictate  degradation  of 
the  model  fidelity;  in  other  cases,  the  security  features  may  be  completely  deleted  or  replaced  with 
a  simple  convex  hull  or  bounding  box  as  in  Reference  [Cera  et  al.,  2004].  To  accomplish  this,  we 
employ  multiresolution  meshes:  model  fidelity  will  be  preserved  to  the  degree  the  actor’s  rights 
allow  it.  The  result  is  a  mesh  appropriate  for  viewing  by  the  actor  a. 

3.  How  to  ensure  that  the  resulting  regions  form  a  topologically  valid  model? 

Deforming  the  model  feature  by  feature  may  result  in  topological  regions  of  facets  in  M'  that  are 
mis-aligned  or  aesthetically  unpleasing.  Cracks  and  occlusion  can  be  avoided  by  preserving  the 
boundary  edges  during  simplification. 

Example.  This  example  shows  a  model  M  whose  surface  is  described  by  one  security  feature  /q. 
Given  the  role-hierarchy  from  Figure  3,  and  four  actors,  Oq,  Oj,  02,  and  with  their  AR  shown  in 
Figure  2.  Figure  5  shows  the  four  different  views  of  model  M  they  each  see.  Given  the  AR,  RH,  and 
MR  assignments,  we  can  derive  the  direct  actor  x  feature  mappings.  Figure  6  gives  the  direct  mappings 
specified  implicitly  by  the  AR,  RH,  and  MR  given  in  Figures  2(a),  2(b),  and  5  respectively.  The  two  MR 
assignments  that  are  not  shown  are  /j  G  r^  and  /2  G  rj.  It  is  important  to  note  that,  similar  to  inheritance 
found  in  most  object-oriented  programming  languages,  a^  cannot  see  /j  or  /2  even  though  it  is  the  base 
role  for  sub-roles  rj,  r2,  and  r^.  Hence  an  inheritance  relation  allows  a  child  to  inherit  the  permissions 
of  the  parent,  but  nothing  is  implied  in  the  other  direction. 
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Figure  5:  An  example  part  with  one  security  feature  (/q)  consisting  of  b{M)  assigned  to  r^,  a  set  of  actors 
assigned  to  roles,  and  their  corresponding  set  of  secure  models. 
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/i 

fi 
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nj  a 
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nj  a 

nj  a 

^2 
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«3 

0.25 
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Figure  6:  The  direct  permission  mappings  derived  from  the  AR,  RH,  and  MR  relations  given  in  Figures  2(a), 
2(b),  AND  5  respectively. 

4  Technical  Approach 

We  combine  techniques  from  solid  modeling  and  computer  graphics  to  provide  a  secure  collaborative 
environment  which  supports  real-time  design.  In  this  section  we  describe  how  to  modify  and  configure 
Hierarchical  RBAC  to  support  our  multiresolution  security  model.  We  describe  the  problems,  algorithms 
employed,  and  final  considerations. 
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4.1  Hierarchical  RBAC  Policy 

Since  RBAC  is  a  means  of  articulating  policy  rather  than  a  policy  by  itself,  an  actual  policy  is  necessary. 
We  wish  to  adopt  a  policy  similar  to  the  classical  MAC  model  [Bell  and  La-Padula,  1973].  This  is  defined 
in  terms  of  the  following  axioms  using  X  to  return  the  security  level  of  either  an  actor  or  a  feature: 

1.  Simple  Security  Property  -  Actor  a  can  read  feature  /  iff  X{a)  >  X{f).  This  is  also  known  as  the 
read-down  property. 

2.  Liberal  ^-Property  Actor  a  can  write  feature  /  iff  X{a)  <  X{f).  This  is  also  known  as  the  write¬ 
up  property. 

There  are  many  variations  of  the  ^-property,  but  we  will  focus  on  the  simple  security  property 
which  essentially  states  that  the  clearance  of  a  person  receiving  a  piece  of  information  must  be  at  least 
as  high  as  the  classification  of  the  object.  Details  on  a  formal  construction  of  MAC  in  RBAC  have  been 
presented  by  Osborn  [Osborn  et  ak,  2000]. 

Hierarchical  RBAC  is  a  natural  means  for  structuring  roles  that  reflect  an  organization’s  lines  of 
authority  and  responsibility  [Sandhu  et  ak,  1996].  The  main  distinction  between  our  approach  and  the 
generic  RBAC  frameworks  found  in  literature,  is  that  we  also  allow  permissions  to  be  modified  through 
the  role  hierarchy.  Typically  permissions  (i.e.,  an  object  and  a  permissible  operation)  are  associated  with 
every  combination  of  object  x  role.  Since  our  read  permissions  are  specified  by  a  degree  of  visibility 
value,  an  inheritance  relation  can  further  refine  this  value.  An  inheritance  relation  is  a  binary  relation 
{parent ,  child),  where  the  child  inherits  permissions  from  the  parent  based  upon  a  multiplicative  weight 
w.  For  instance:  w  =  1 .0  preserves  the  parents  permissions  exactly,  while  w  =  0.5  will  reduce  the  degree 
of  visibility  by  half  for  all  inherited  objects.  By  transitivity,  this  weighted  factor  applies  to  all  inherited 
objects  specified  in  the  role  hierarchy. 

Intuitively,  it  might  appear  that  we’re  breaking  the  simple  security  property  by  allowing  some  actors 
to  view  objects  that  they  normally  would  not  be  able  to  see.  This  is  not  the  case,  and  instead  should  be 
viewed  as  transforming  one  object  into  a  new  object  that  is  permissible.  Hence,  our  model  still  adheres 

to  the  simple  security  property. 

Given  an  actor  (a)  and  a  feature  (/),  the  test  to  determine  if  a  has  permissions  on  /  is  equivalent  to 
computing  graph  reachability  among  all  possible  pairs  of  roles  assigned  to  both  a  and  /.  We  will  use 
Pa  to  denote  the  set  of  roles  assigned  to  a,  and  7?^  for  the  set  of  roles  assigned  to  /.  If  any  role  in  Ra  is 
reachable  from  any  other  role  in  (i.e.,  there  exists  a  path),  then  the  sum  of  all  weights  along  the  path 
yields  the  degree  of  visibility  for  that  path.  We  will  use  a  reachability  function  to  return  the  set  of  all  roles 
reachable  from  a  given  role.  This  may  reveal  several  paths,  hence  the  resultant  degree  of  visibility  for  a 
will  be  chosen  as  the  maximum.  We  denote  the  function  that  returns  the  maximum  degree  of  visibility 
for  a  on  /  as  a{a,f).  The  result  of  this  function  can  be  computed  once,  stored,  and  re-used  until  an 
existing  role  assignment  (AR  or  MR)  is  modified.  The  degree  of  visibility  is  then  used  as  a  parameter 
to  another  function,  degradeResolution{a,  f),  which  degrades  the  fidelity  of  a  feature  depending  on  an 
actors  permissions. 

a  {Act  or  a,  Feature  f) 

1:  Ra  =  {roles{a)y, 

2:  R f  =  {roles{f)y, 

3:  liRaFRy.  —  0 then 
4:  return  1; 

5:  else 

6:  //  Check  RH  for  reachability  from  ra  to  r^ 

T.  D„l'  =  0.0 

8:  for  all  ra  G  Ra  do 

9:  for  all  r^  G  R^  do 
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10:  for  all  p  G  {paths{ra,r^)}  do 

11:  DoV  =  MAX{DoV,path_cost{p))', 

12:  end  for 

13:  end  for 

14:  end  for 

15:  return  DoV; 

16:  end  if 

display -feature(Actor  a, Feature  f) 

1:  if  a  (a,/)  ==  1.0  then 
2:  return  /; 

3:  else 

4:  f  =  degradeResolution{f  ,a{a,  f))\ 

5:  return/'; 

6:  end  if 

4.2  Generation  of  Multi-level  Security  Models 

For  part/component/assemblies  with  regions  that  need  to  be  secured,  multiresolution  techniques  are  em¬ 
ployed  to  provide  various  levels  of  detail.  Although  the  original  (highest)  resolution  version  of  a  model 
might  be  a  breach  for  some  actors,  lower  resolution  LODs  will  be  sufficiently  secure  to  transmit  to  those 
actors.  In  addition  to  purely  geometric  multiresolution  techniques,  Shyamsundar  and  Gadh  have  devel¬ 
oped  a  framework  for  representing  different  levels  of  detail  for  geometric  feature 
data  [Shyamsundar  and  Gadh,  2001,  Shyamsundar  and  Gadh,  2002].  Our  security  model  could  be  used 
in  conjunction  with  this  feature  LOD  representation,  but  an  automatic  simplification  algorithm  needs  to 
be  developed. 

Mesh  simplification  techniques  include  either  vertex  decimation,  vertex  clustering,  or  edge  contrac¬ 
tion.  Choosing  a  specific  simplification  technique  among  the  breadth  of  candidates  is  application  de¬ 
pendent.  To  address  the  demands  of  an  interactive  collaborative  design  environment,  we  outline  several 
issues  which  are  critical  for  simplification; 

1.  speed:  As  the  number  of  component/assemblies  in  a  session  increases,  the  simplification  becomes 
the  bottleneck.  We  need  an  algorithm  capable  of  drastic  simplification  in  the  least  amount  of  time. 

2.  dynamic:  Dynamic  simplification  provides  a  continuous  spectrum  of  detail  so  an  appropriate  model 
can  be  selected  at  runtime.  We  do  not  wish  to  store  all  possible  LODs  within  the  model  repository. 
Therefore  a  dynamic  simplification  will  be  ideal. 

3.  topology  preserving:  To  produce  the  most  realistic  simplification  the  original  model’s  topology 
should  be  preserved.  In  addition,  progressive  meshes  [Hoppe,  1996]  are  incompatible  with  topol¬ 
ogy  modifying  simplification  and  this  technique  will  be  useful  for  network  transmission  in  a  multi¬ 
user  environment. 

4.  boundary  preserving:  The  boundary  of  objects  should  be  preserved  in  order  to  distinguish  objects 
from  one  another.  Inadvertent  occlusion  and  cracks  may  result  if  we  relieve  this  constraint. 

5.  view-independence:  The  viewer  receives  3D  model  information  therefore  the  simplification  should 
also  support  this. 

Given  our  requirements.  Quadric  Error  Metrics  [Garland  and  Heckbert,  1997]  (QEM)  is  an  obvious 
candidate.  QEM  provides  drastic  simplification,  capable  of  progressivity,  in  a  reasonably  small  amount 
of  time.  This  algorithm  also  produces  a  result  that  is  realistic  and  recognizable  as  a  simplified  variant 
of  the  original  model.  One  issue  is  the  algorithms  dependence  upon  a  threshold  value.  In  the  rare  case 
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that  the  threshold  value  is  as  large  as  the  model  itself,  then  the  algorithm  runs  in  0{rP').  An  alternative 
approach  is  to  compute  an  optimal  threshold  adaptively  [Erikson  and  Manocha,  1999]. 

We  have  proposed  using  an  automatic  simplification  technique  to  degrade  the  fidelity  of  a  model 
enough  to  satisfy  the  access-control  requirements  of  a  collaborative  design  session.  An  automatic  tech¬ 
nique  cannot  be  proven  to  sufficiently  degrade  the  model  enough  to  be  secure  in  all  environments.  The 
process  can  be  supplemented  by  adopting  a  form  of  user-guided  simplification  [Li  and  Watson,  2001, 
Kho  and  Garland,  2003].  User-guided  simplification  is  a  means  of  supervising  the  simplification  by 
editing  the  order  of  ecol  performed  during  simplification,  selecting  regions  where  more  or  less  simplifi¬ 
cation  is  necessary,  or  directly  manipulating  the  vertex  hierarchy.  A  side  effect  is  that  these  simplification 
parameters  need  to  be  stored  with  the  model,  since  these  cannot  be  automatically  derived. 

QEM  simplification  can  be  configured  to  either  maintain  or  modify  the  topological  genus  of  a  model. 
In  a  multi-user  CAD  server,  progressive  meshes  (PM)  [Hoppe,  1996]  can  be  useful  for  the  transmission 
of  CAD  models.  If  PM  is  used,  and  if  the  removal  of  holes  yields  a  more  secure  version  of  a  particular 
model,  then  genus-reduction  techniques  must  be  employed  since  standard  PM  is  not  compatible  with 
topology-modifying  simplification. 

Cracks  and  occlusion  must  be  avoided  for  continuous  and  adjacent  regions  of  a  part  that  are  simplified 
independently.  If  a  single  part  is  partitioned  into  two  or  more  regions,  and  each  region  has  a  different 
model-role  assignment,  then  the  regions  will  be  simplified  at  different  levels  of  detail.  If  boundary  edges 
of  the  mesh  are  not  preserved,  then  possibly  cracks  and  self-occlusion  will  result.  As  a  simple  example, 
Eigure  7(a)  gives  an  example  of  a  gear  tooth  that  has  a  different  model-role  assignment  than  the  rest  of 
the  gear.  If  this  tooth  is  simplified  without  preserving  boundary  edges,  then,  as  in  Eigure  7(b),  cracks 
occur  between  the  regions  and  self-occlusion  results. 


(a)  Original  tooth  of  a  spur  gear. 


(b)  Over-simplified  version  of  the  tooth  without  pre¬ 
serving  boundary  edges. 


Figure  7 :  Illustration  of  cracks  and  self-occlusion  that  can  occur  as  a  result  of  simplification. 
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5  Realization  of  Approach 

The  FACADE  system  is  a  multi-purpose  CAD  framework  that  supports  numerous  modes  of  functionality 
implemented  as  modules.  Its  most  basic  component  is  a  3D  model  viewer  that  supports  standard  camera 
navigation  operations  and  the  ability  to  view  models  using  different  shading  algorithms  or  as  a  wireframe. 
FACADE’s  design  allows  instances  of  the  system  to  be  compiled  with  or  without  a  particular  module. 

The  first  module  is  a  light  design  module  which  enables  several  basic  tasks  such  as:  selection  of  a 
part,  component,  assembly,  or  other  selectable  entity;  applying  affine  transformations  on  a  part;  adding 
an  alpha  channel  to  a  part  for  transparency;  decomposing  a  part  into  multiple  parts;  specifying  a  set  of 
parts  as  an  assembly;  manipulating  control  points  on  parametric  surfaces  (eg.  bezier  patches,  splines, 
and  NURBS).  This  subsystem  is  a  prerequisite  for  most  of  the  remaining  modules  described  below. 

The  next  module  provides  a  semantic  authoring  interface  as  developed  in 
Reference  [Kopena  et  ak,  2004].  This  interface  allows  a  designer  to  specify  the  function  of  parts,  com¬ 
ponents,  and  assemblies,  as  well  as  the ^ow  of  inputs/outputs  from  one  function  to  another.  The  module 
first  makes  a  query,  over  the  network,  to  the  OwlJessKB  reasoner  asking  for  the  ontological  elements 
that  it  can  use  for  the  authoring  of  the  function  and  ^ow  semantics.  After  annotation  is  complete,  the 
module  provides  the  ability  to  save  the  semantic  feature  description  to  an  OWL  file  which  will  be  used 
during  subsequent  steps  in  the  conceptual  design  phase. 

The  next  module,  which  is  at  the  focus  of  this  paper,  is  the  security  authoring  interface.  This  module 
provides  an  interface  which  allows  a  designer  to  assign  role-based  viewing  parameters  to  a  part,  compo¬ 
nent,  assembly,  or  semantic  features  that  can  be  saved  and  later  re-loaded.  The  designing  stage  allows 
a  designer  to  assign  a  {label,  permission}-tuple  to  parts,  assemblies,  or  individual  facets.  The  normal¬ 
ized  permissions  [0.0  —  1 .0]  were  used  to  indicate  a  percentage  of  the  features  to  be  suppressed  from  the 
original  model.  In  situations  where  the  result  is  not  sufficiently  secure,  a  supervised  technique,  such  as 
user-guided  simplification  can  be  used. 

When  a  designer  requests  a  model,  they  must  first  declare  their  identity  so  all  direct  role  associations 
can  be  retrieved  and  implied  associations,  from  RH,  can  be  derived.  Based  upon  the  roles  associated 
with  a  designer  and  the  model  features,  a  role-based  view  is  generated.  We  used  a  single  administrative 
account  to  modify  permissions  in  the  model  repository.  There  are  numerous  administrative  configu¬ 
rations  which  have  been  presented  by  Sandhu  [Sandhu  et  ak,  1999].  The  goals  and  constraints  of  the 
collaboration  will  dictate  how  comprehensive  the  role  administration  requirements  should  be. 

We  have  implemented  our  own  topology-preserving  QEM-based  simplification  algorithm.  For  the 
experiments  in  this  paper,  we  chose  to  collapse  only  vertex  pairs  which  are  connected  by  an  edge.  The 
simplification  algorithm  is  passed  each  tessellated  and  triangulated  part,  or  connected  region  of  a  part 
with  an  equivalent  {label,  permission}  set  of  tuples.  Since  these  regions  are  disjoint,  they  can  be  simpli¬ 
fied  and  transmitted  in  parallel. 

The  last  module  in  FACADE  enables  the  network  client  interface  that  can  talk  to  a  FACADE  server. 
The  server  works  in  conjunction  with  the  security  module  to  provide  role-based  views  to  clients  which 
do  not  have  permissions  to  manipulate  or  view  a  model,  or  its  semantic  features,  at  full  resolution.  The 
server  maintains  consistency  throughout  all  connected  clients  by  sending  rejection  messages  to  clients 
when  a  design  operation  they  have  performed  conflicts  with  the  operation  of  another  client.  The  server 
supports  both  “thin”  and  “fat”  FACADE  network  clients  and  their  corresponding  protocols.  The  thin 
clients  understand  the  Remote  Frame  Buffer  (RFB)  protocol  [Richardson  and  Wood,  1998].  The  fat 
clients  understand  an  unpublished  text-based  protocol  which  sends  only  design  transformation  informa¬ 
tion  after  the  initial  model  is  sent. 

The  FACADE  framework  has  been  designed  for  maximum  portability  across  all  platforms.  It  has 
been  tested  and  simultaneously  developed  in  Solaris/SunOS  (Sun  CC/GNU  g-H-),  Linux  (GNU  g-n-), 
and  Windows  2000  (Microsoft  Visual  C-H-)  operating  systems.  It  is  implemented  in  C-H-  using  OpenGL 
as  the  graphics  rendering  library.  An  OpenGL  canvas  can  be  displayed  using  either  GLUT  or  Java  via 
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the  JNI  interface.  The  network  socket  libraries  use  BSD-style  sockets  under  Unix-based  derivatives  and 
Winsock2  under  Windows.  The  multi-threaded  code  uses  POSIX  threads  (pthreads)  under  Unix-based 
derivatives  and  Windows  Threads  under  Windows. 


6  Example:  Computer  Mouse  Assembly 

We  show  how  role  hierarchies  can  be  used  to  instantiate  a  multi-level  information  security  model  on 
an  electro-mechanical  assembly.  Unlike  previous  work  in  role-based  viewing  [Cera  et  ak,  2004],  this 
example  demonstrates  how  the  weighted  role  hierarchy  affects  the  collaboration  space.  We  present  this 
as  a  more  flexible  and  practical  approach  since  role  hierarchies  naturally  reflect  an  organization’s  line  of 
authority  and  responsibility. 

In  the  following  example  scenario,  six  actors  are  granted  permission  to  view  and  modify  a  mouse 
assembly  at  some  level  of  abstraction.  Each  actor  is  assigned  a  label  and  assigned  a  role  from  the  role 
hierarchy.  The  set  of  actors  is  partitioned  into  three  groups  based  on  the  nature  of  the  design  work: 
electrical,  mechanical,  and  ergonomic.  Individual  parts,  regions  of  parts,  or  other  feature  information 
are  assigned  labels  and  grouped  into  one  of  the  hierarchies.  These  labels  and  descriptions  are  given  in 
Figure  8. 


Label 

Feature 

Hierarchy 

/o 

Cable 

Electrical 

/i 

Circuit  Board 

Electrical 

fi 

Cable/Board  Interface 

Electrical 

/s 

Ball 

Mechanical 

/4 

Ball  Housing 

Mechanical 

/5 

Lower  Casing 

Ergonomic 

fe 

Buttons 

Ergonomic 

(b)  Description  of  features. 


Eabel 

Actor 

Hierarchy 

ao 

Supervisor 

All 

Electrical  Engineer 

Electrical 

a2 

Electrical  Observer 

Electrical 

Mechanical  Engineer 

Mechanical 

^4 

Mechanical  Observer 

Mechanical 

Ergonomics  Engineer 

Ergonomic 

(a)  Description  of  actors. 


Figure  8:  Actor  x  feature  labels  and  descriptions  for  the  mouse  assembly  example. 


Each  of  the  lead  engineers  will  be  given  full  permissions  to  their  respective  subsystems.  They  are 
each  given  a  subordinate,  or  observer,  who  is  in  training  for  this  design.  The  sub-roles  created  for  this 
purpose  will  be  called  observer  roles.  The  engineers  of  one  particular  hierarchy  will  also  need  some  level 
of  viewing  permissions  to  the  other  hierarchies,  especially  at  the  interface  features.  These  roles  will  be 
called  interface  roles.  The  roles  for  the  electrical,  mechanical,  and  ergonomic  hierarchies  are  given  as 
re,  rm,  and  r*  respectively.  We’ll  use  a  second  subscript  to  denote  the  role’s  position  in  the  hierarchy 
where  0  is  labeled  as  the  lead  roles,  1  is  labeled  as  the  observer  roles,  and  2  is  for  the  interface  roles. 
This  actor-role  assignment  matrix  is  given  in  Figure  9(a).  The  observer  and  interface  roles  are  given 
less  viewing  privileges  than  the  lead  roles.  The  observer  roles  are  given  half  the  degree  of  visibility  as 
the  lead  roles,  and  the  interface  roles  are  given  half  the  degree  of  visibility  as  the  as  the  observer  roles. 
This  weighted  hierarchy  is  depicted  in  Figure  9(b).  Figure  9(c)  gives  the  complete  set  of  model-role 
assignments  for  the  mouse  assembly.  In  this  example,  one  clear  advantage  of  the  role  hierarchy  is  that 
model-role  assignments  exist  for  only  lead  engineers  and  the  subordinate  roles  inherit  those  permissions. 
Using  Figure  9(d)  gives  the  degree  of  visibility  values  computed  for  every  actor  x  feature. 

These  values  are  implicit  in  the  AR,  RH,  and  MR  structure. 
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(a)  Actor-Role  (AR)  assignment  matrix. 
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(b)  Weighted  DAG  represent¬ 
ing  the  Role  Hierarchy  (RH). 
The  re  hierarchy  is  assigned 
the  electrical  subsystem,  the  r^ 
hierarchy  is  assigned  the  me¬ 
chanical  subsystem,  and  the  r^ 
hierarchy  is  assigned  the  shell. 
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(c)  Model-Role  (MR)  assignment  matrix. 
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(d)  Degree  of  visibility  values  for  every  actor  x  feature 
computed  using  a(a,f  )-  These  values  can  he  derived 
from  the  AR,  RH,  and  MR  assignments  given  in  Fig¬ 
ures  9(a),  9(b),  and  9(c)  respectively. 


Figure  9:  All  security  associations  and  derived  mappings  for  the  mouse  assembly  example 


The  supervisor  (af)  has  unrestricted  access  to  all  features  of  the  assembly.  The  supervisor’s  role- 
based  view  is  given  in  Figure  10(a).  Figure  10(b)  shows  the  role-based  view  for  the  electrical  engineer 
(flg  0^  which  shows  the  electrical  features  in  full  resolution,  the  mechanical  features  in  a  lower  resolu¬ 
tion,  and  the  exterior  features  in  an  even  lower  resolution.  Figure  10(c)  gives  the  role-based  view  for 
the  mechanical  engineer  where  the  mechanical  features  are  displayed  in  full  resolution,  the  electrical 
features  in  a  lower  resolution,  and  the  exterior  features  in  even  lower  detail.  Figure  10(d)  depicts  the 
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ergonomics  engineer’s  (r^  q)  role-based  view  which  depicts  the  interior  and  exterior  in  full  resolution, 
but  the  remaining  features  are  displayed  in  a  low  resolution.  By  using  role-based  views,  designers  need 
not  be  concerned  with  unnecessary  design  details  and  the  protection  of  sensitive  intellectual  property  can 
be  maintained. 


7  Conclusions  and  Future  Work 

This  paper  developed  a  new  technique.  Hierarchical  Role-based  Viewing,  for  multi-level  information 
security  in  collaborative  3D  assembly  design.  Role  Hierarchies  naturally  reflect  an  organization’s  line 
of  authority  and  responsibility.  By  incorporating  security  with  collaborative  design,  the  costs  and  risks 
incurred  by  multi-organizational  collaboration  can  be  reduced.  Aside  from  digital  3D  watermarking, 
research  on  how  to  provide  security  issues  to  distributed  design,  working  in  collaborative  graphical 
environments,  remains  a  novel  and  relatively  unexplored  area.  The  authors  believe  that  this  work  is  the 
first  of  its  kind  to  bring  multi-level  security  to  geometric  data  in  the  field  of  computer-aided  design  and 
collaborative  engineering. 

Immediate  future  work  involves  using  multiresolution  techniques  directly  on  the  native  surface  types 
and  examining  network  configurations  to  reduce  aggregate  bandwidth.  We  are  currently  extending  these 
techniques  to  handle  B-spline  surfaces  directly.  The  motivation  for  handling  these  surfaces  is  to  demon¬ 
strate  that  for  certain  geometry,  multiresolution  surface  techniques  will  provide  a  more  intuitive  simpli¬ 
fication  result.  Crack  prevention,  permissions  on  patch  boundaries  when  adjacent  patches  have  different 
roles,  and  other  issues  will  need  to  be  addressed.  We  would  also  like  to  give  a  demonstration  of  the 
model  on  geometric,  as  well  as  semantic,  feature  data. 

Our  environment  has  been  extended  to  support  synchronous  multi-user  collaborative  CAD.  Optimal 
network  configurations  can  be  constructed  and  “grouping”  of  the  mesh  hierarchy  can  be  performed  for 
actors  and  assigned  similar  roles.  We  can  take  advantage  of  continuous  LOD  over  a  network  using  a 
progressive  technique,  such  as  Progressive  Meshes  [Hoppe,  1996].  This  results  in  computing  only  one 
mesh  hierarchy  for  an  entire  set  of  actors.  For  further  optimization,  multicast  networks  could  be  used  to 
properly  aggregate  bandwidth  when  actors  have  similar  privileges. 
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(a)  The  supervisor’s  (fly)  full  resolution  view.  (b)  The  electrical  engineer’s  (Oj)  role-based  view.  The 

electrical  features  are  displayed  in  full  resolution,  the  me¬ 
chanical  features  in  a  lower  resolution,  and  the  exterior 
features  in  an  even  lower  resolution. 


(c)  The  mechanical  engineer’s  (a^)  role-based  view.  Me¬ 
chanical  features  are  displayed  in  full  resolution,  the  elec¬ 
trical  features  in  a  lower  resolution,  and  the  exterior  fea¬ 
tures  in  even  lower  detail. 


(d)  The  ergonomic  engineer’s  (a^)  role-based  view.  This 
depicts  the  interior  and  exterior  in  full  resolution,  but  the 
remaining  features  are  displayed  in  a  low  resolution. 


Figure  10:  Role-based  views  for  the  mouse  assembly  example. 
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